Estimating software fault-proneness for tuning testing activities
Proceedings of the 22nd international conference on Software engineering
Building secure software: how to avoid security problems the right way
Building secure software: how to avoid security problems the right way
Regression Using JMP
Software vulnerability analysis
Software vulnerability analysis
Some issues in multi-phase software reliability modeling
CASCON '93 Proceedings of the 1993 conference of the Centre for Advanced Studies on Collaborative research: software engineering - Volume 1
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
Software Reliability Engineering: More Reliable Software Faster and Cheaper
Software Reliability Engineering: More Reliable Software Faster and Cheaper
Use of relative code churn measures to predict system defect density
Proceedings of the 27th international conference on Software engineering
Predicting component failures at design time
Proceedings of the 2006 ACM/IEEE international symposium on Empirical software engineering
Data Mining
Milk or wine: does software security improve with age?
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Predicting vulnerable software components
Proceedings of the 14th ACM conference on Computer and communications security
Applying Software Reliability Models on Security Incidents
ISSRE '07 Proceedings of the The 18th IEEE International Symposium on Software Reliability
On the Value of Static Analysis for Fault Detection in Software
IEEE Transactions on Software Engineering
Failure-prone components are also attack-prone components
Companion to the 23rd ACM SIGPLAN conference on Object-oriented programming systems languages and applications
Prioritizing software security fortification throughcode-level metrics
Proceedings of the 4th ACM workshop on Quality of protection
Is complexity really the enemy of software security?
Proceedings of the 4th ACM workshop on Quality of protection
Ranking Attack-Prone Components with a Predictive Model
ISSRE '08 Proceedings of the 2008 19th International Symposium on Software Reliability Engineering
Which is the right source for vulnerability studies?: an empirical analysis on Mozilla Firefox
Proceedings of the 6th International Workshop on Security Measurements and Metrics
Interactive churn metrics: socio-technical variants of code churn
ACM SIGSOFT Software Engineering Notes
| Hi-index | 0.02 |
In the search for metrics that can predict the presence of vulnerabilities early in the software life cycle, there may be some benefit to choosing metrics from the non-security realm. We analyzed non-security and security failure data reported for the year 2007 of a Cisco software system. We used non-security failure reports as input variables into a classification and regression tree (CART) model to determine the probability that a component will have at least one vulnerability. Using CART, we ranked all of the system components in descending order of their probabilities and found that 57% of the vulnerable components were in the top nine percent of the total component ranking, but with a 48% false positive rate. The results indicate that non-security failures can be used as one of the input variables for security-related prediction models.